Cisco CCIE Security 350-701- IOS – Zone Based Firewall Part 1

  1. IOS – Zone Based Firewall

Now in this section our main focus will be on understanding the same firewall concepts on the Cisco iOS router. Now, there is something called zonebased firewall feature which can be implemented on a Cisco iOS router which is going to provide a firewall feature similar to ASAP. So just like ASAP, it also provides some deep spacket inspection. So if we get back to the previous concepts like the firewall, typically firewall, the basic definition is like it’s a system or a group of system that manage the access between two or more different networks. Like you may want to define, you may want to say that the user sitting in the land should be allowed to access internet, but any traffic coming from the internet should not enter into the land. At the same time you want to allow the users on the internet to be able to access some services on the DMC.

So we can configure a firewall and this firewall can also be a Cisco iOS router enabled with a zone based firewall feature. So we can do some deep packet inspection more similar to as we are on the ASA firewalls. So the zone based firewall is like an ASA which can do some deep packet inspections. And here we don’t have any kind of security levels like we did in the ASA. So if we get back to the basic ASA concepts, we can define some levels like we can define a level of 100 on the land interface, trusted interface and zero on the interface facing towards the Internet, maybe 50. And by default the traffic is allowed from higher to lower, but the traffic is denied from lower to higher. But in case of zone based firewalls, we are going to associate these interfaces into zones. We can use some name like I can use some zone one, zone two, or we can simply use some name as land and some other interface like Internet.

And by default no traffic will flow between these two zones. And if you want to allow any specific traffic to flow between these zones, we need to configure some policies. So we’ll talk about more about the zones and the configuration as we go ahead. So zone based firewall work based on security zones and we need to configure some firewall policies which will define what traffic is allowed between these two interfaces and which direction is allowed, something like that. Zone based firewall replaces the older feature called CBAC. CBAC is the older feature which is no more used, but the default rule is like all the traffic is allowed. We generally write some deny statement and then we configured some kind of ACLs to allow the traffic and the return traffic to be allowed. Typically we don’t use those features and over it is.

  1. ZBF – Configuration Overview

Okay, the next thing we’ll see some configuration overview of the zone based firewall. Now, majorly in zone based firewall. The first thing what we’ll do is we are going to create some zones, as I said, more like a name if configuration on the ASA firewalls we need to define some names like LAN and an internet and then some kind of DMZ, some names and then we need to associate these. Typically we call them as security zones, any logical names we can use. And then we need to associate these zones, the security zones to the interfaces. Now, once we associate these specific interfaces to the zones now by default the traffic between these zones is blocked. There is no higher, lower levels here.

So by default all the traffic between any zone to any zone, like going from land to internet will be by default denied. So the first step we create the security zones and then we assign them to the interfaces. Now the next thing is we need to define what traffic you want to allow. Like take an example, I want to make sure that the user sitting in my land should be able to access all the Http traffic as well as FTP traffic or maybe some kind of ICMP traffic. So the first step is we need to classify the traffic. Now, classification is done with the help of some class maps. So we can write some ACLs if you want to specifically match, saying that I want to match the traffic coming from one dot network going to any destination if it is equal to Http or FTP or ICMP like that.

So we need to classify the traffic and this is done with the help of class maps more similar to the class maps. What we did in the basic configurations in the ASA class maps or even in the control plan policing, I discussed that so it will be similar to that one. And once you define what traffic you want to allow, then we need to configure some policy map. Now in the policy map we are going to tell what action you want to take. Now generally we have multiple options to define. Like we can simply say pass drop or we can even say something like inspect. Generally we use an option of inspect. Inspect ensures that your traffic is allowed at the same time between traffic is also allowed by default automatically.

If I simply say pass it means just hello but it will not be able to keep a track of the trend traffic drop. You can also drop specific traffic moving between the devices. So a by default anywhere the traffic is dropped, denied. So we don’t need to specify drop. Anything matching any traffic matching, not matching the particular policy map will be automatically dropped. Now finally we need to associate this policy map to the interfaces. So we need to tell the direction that’s what we call as creating zone pairing in the zone pairing will configure a zone pair saying that if the traffic is coming from source land and if it is going to this security zone like internet applying this policy.

  1. ZBF – Security Zones

Now the iOS based zone based firewall we have some security zones, two types. It can be either user defined security zones or system predefined security zones. Now, the user defined nothing but just like the interface assigned with some name like LAN or internet or any name and typically we call it as user defined zone because we are going to define some name and done by the administrator and it’s something traffic moving through the router. So any traffic you want to control between the two zones or the user defined zones, we need to mention these names. So you can use any name like inside, outside, DMC, trusted, untrusted, any kind of names. So it typically deals with the traffic which is moving through the router coming from one interface to another interface. In simple words or so we can say one zone to another zone.

Now, you may also want to configure some kind of policies based on the traffic destined to the router. Or maybe just like you want to control what traffic should be allowed, you may want to deny a specific users trying to access telnet to the router from the outside network.So this is something traffic destined to the router. Or you may want to make sure that this router do not send any kind of NTP or accept any kind of NTP traffic or some kind of SS traffic or maybe some kind of don’t send any log messages outside this interface. So in that case we can actually configure some policies based on system predefined zones. So in system predefined zones it deals with something like a traffic which is either destined to the router which is configured with the zone based firewall or the traffic which is initiated by the router.

So it’s not the traffic transiting from one interface to another interface, it’s a traffic distinct or source from the router itself. So typically like control protocol, like routing protocol traffic, you don’t want to send any kind of OSPF messages back on this interface or don’t accept any kind of OSPF traffic from any specific device on the outer interface or some kind of telnet or SSH, these kind of options. So we’ll be countering some policies based on Oscar or system predefined as one. So that’s the reason you’ll see typically we call this as self zone. So when we write some policies we either write a name of the zone.

  1. ZBF – Default Flow

Now the next thing we need to understand the default traffic flow between the interfaces which are assigned to security zones. Like let’s say I’m assigning this interface into a zone, let’s say land and this interface into some internet and then this interface created with some name called DMZ and then assigned to this interface. Now this of the three segregated zones which let’s say SSM, I have configured and then applied them to the interfaces. So by default the traffic flow between any two zone interfaces will not go by default. Now there’s no levels here. The traffic from land to internet will not be allowed by default and the traffic from internet interface to land interface is not allowed by default.

So by default it is dropped. You need to specifically write a policy to allow the users sitting in the land to access Internet. And if you want someone in the internet to access the land resources specifically like servers, you need to write a policy. So firewall policies need to be configured to control what traffic should be allowed or denied, whereas intra zone traffic intrazone is like let’s take an example, I got one more interface, maybe you got two Lans and I’m going to assign the same name as LAN. So we can assign two interfaces to the same security zones and by default the traffic between these two interfaces is a load by default. So if you want to deny a specific traffic between these two interfaces then we need to write some firewall policies so we don’t write any kind of policies.

The default traffic between the two interfaces assigned to the same zone will be allowed by default. And the next thing is the traffic between the defined zones and the self zones, cell zones means let’s say you want to initiate a telenet connection from here from this device, you want to initiate a telenet from this land interface and by default it is allowed. So the traffic between any defined zones, user defined zones and the traffic destined to the router or maybe you initiate a traffic from here by default it is allowed. And if you want to specifically control what traffic should be denied, like maybe you want to deny the router should not send any kind of OSPF messages on the outside interface, on the internet interface.

At the same time you may want to control like no one should from the outside interface should be able to telenet or SSH to my router or should not be able to ping to my interface. In that case we need to write a firewall policies to deny that particular traffic. So the default traffic flow like between the interfaces by default denied. And if you, if you have any two interfaces assigned with the same, same security zones it’s allowed by default.

  1. Class-Map – Policy Map – Hierarchy

Now the configuration wise, the control plane policing, we will be doing the configuration by using some kind of classmaps policy maps in general. So if you are slightly aware of quality of service options, it’s a kind of configuration used in quality of service or in ASA firewalls we call as model policy framework kind of thing. Although we use this configuration in zone based firewall features, as we go ahead we’ll talk about this. So we don’t cover this, we’ll be seeing this option, these options and also in control plane policing in general also we’ll see the similar kind of configurations. So probably in this video I’m going to show you how this configuration exactly goes, means what is the hierarchy in general we use to configure these features.

Of course, we’ll be seeing this the similar kind of hierarchy in some other implementations also. So we don’t cover quality of service, but it’s a kind of quality of service feature in VYP networks. But the other three features we use here, maybe we’ll be using the same in some other implementations as well. Now, here the concentration wise. We will be using some kind of classmaps policy maps and applying that policy map service policy by using some kind of service policy. Now, what we do here is we’ll be using something like classmaps. classmaps are used to match the traffic. Like you want to implement some kind of control plan policing or some kind of policing for EHRP traffic, let’s say.So we need to match this EHRP traffic.

So maybe you want to match from any source in a destination or we may want to match from selected source to selected destinations. Like maybe if the source from ten dot network, let’s say. So we need to match the traffic and we do that by using classmaps and the class maps. We need to write a classmap something like classmap sum name and then we say match protocol EHRP. So when you define match protocol EHRP, it’s going to match only the traffic which matches the EHRP. We can also say match protocol OSPF by using match any option here. We can also match BGP protocol if it matches any one protocol we can write down. So the classmaps allows you to match a specific traffic, it can be any traffic, like if you’re using some kind of maybe in a quality of service or any other options you want to match FTP traffic or Http traffic or maybe DFTP traffic, anything it can be.

So if you want to match a specific source and destinations, then we can write an ACL andwe can refer that ACL inside the classmap. So class maps tells what traffic you want to match and the next thing we use a policy maps. Now the policy maps tells what to do with that particular traffic, what action you want to take. So we got different actions to take, like you may want to allow maybe pass you want to just drop that particular traffic. You want to do some kind of policing, you want to do some kind of rate limiting in quality of service. We have more options. In zone based firewalls we use some other options like Inspect. Inspect is like hello, the traffic, written traffic should be allowed. Policing means how many packets per second you want to allow something like that. Pass means simply hello. Drop means don’t allow the particular traffic.

So like that we have different set of actions we can take. So pass map is going to tell what to do with that particular traffic. And then finally we need to apply this policy map under the interface. So if you’re using some kind of quality of service, we do it on the interface. Maybe in the zone based firewall we use what traffic from which interface to which interface. In case of control plane policing, probably we need to tell the rate limit how many packets you want to allow on the control plane. So this hierarchy is actually like we create different classmaps which matches different traffic and then we refer these classmaps inside the policy map and we tell what action you want to take. You want to do some kind of marking queen these options comes in quality of service.

Like in control print policing we use like rate limiting how many packets you want to allow. In case of other scenarios, like in zone based firewall we use some other options like Inspect. Now these options will vary depending upon what type of configuration or what is your requirement. And then finally we’ll apply it on the interface. Either we can apply it on the physical interface if you’re using some quality of service, or zone based firewalls. But whereas in case of control plane policing we’ll be using we’ll be applying on the control plane, inside the control plane interface, sub interface and then we apply this policy. So this is a typical hierarchy, what we use in general for any of the configurations like I discussed.

img